Register global = on ?

[sky]

Hi !

I have just foud that the server is configure by defaut with the register_global=On ...

That is not a very good configuration, unless you have old website with php3 ... and even ...

My question : Can whe configre that for each website? I mean, can i put the registar_global on ON with website.com, and registar_global on Off with website2.com ?

Thx for your help,
Sky

 

[jmstacey]

Not that I know of, safemode is the only per domain setting of that kind available. I don't know why you would need Register_globals on. Personally I would just turn it off in the php.ini file. For some reason the setup.sh file greps it and enables it so.....

Make a poll in the Feature Requests forum and see how much people want this feature, although I doubt many.

 

[sky]

Ho, well, i only need it because 1 website i have works on php3 and is quite "big", with classes and function ... whatever, ill just put register_global=Off ^^

Thx for the information ...

Sky

 

[Daijoubu]

I'm not sure weither or not it's a good idea to turn it off
I'm aware of the security issue related to register globals but I think you'll have many customers with bogus scripts

 

[sky]

Yes, its the problem, i have not many, ill try to resolv there bugs lol

Thx

Sky

 

[Webcart]

It is possible to turn it ON and OFF with the setting in .htaccess, so I would guess it's also possible to set up in Apache config file.

 

[Daijoubu]

Yep, register_global is PHP_INI_PERDIR|PHP_INI_SYSTEM

php.ini, .htaccess or httpd.conf

 

[jmstacey]

If that is the case then you will probably want it off by default and then if the user really needs it he can enable it. It would be even better if DA handled it the same way that it does php though
Although I don't know if thats enough reason to include the feature since register_globals is a dying feature and is/will be deprecated some time in the future since there is no real reason to need it (that I can think of now, other than older scripts)

 

[sky]

Yes, it will become deprecated.
Still is a pain in the a** now

Sky

 

[Webcart]

I am not sure I understand the problem.

If you want a certain PHP setting to be included for all domains, just add it to custom virtual host templates. Then you can disable it for selected vhosts with .htaccess.

Does it make sense?

 

[Chrysalis]

Webcart or anyone else you know the exact lines to add for different config files to do this?

 

[Webcart]

Webcart or anyone else you know the exact lines to add for different config files to do this?

Here is the line to put into .htaccess file:

php_flag register_globals 1

Put that file into public_html directory of the domain you want to enable register_globals for.

Now, follow the instruction here http://help.directadmin.com/item.php?id=2
to add default settings for all domains using custom virtual host template.

 

[Icheb]

Personally I like this to stay on in the master config (or let the admin choose when compiling php), due to the simple fact 95% of my users don't know much about how to write code the way it works without register globals.
On the other hand, I've disabled some functions in PHP to make sure I don't end up with a "welcome to all scriptkiddie's/hackers" sign on my servers...

There are still a lot of scripts that just don't work with this setting off.
So why not let DA arrange it to let it be on/off while creating the domain/user ?

 

[DJ_Max]

Just to clarify something, having Register Globals set ON is avery bad idea. Most of the hackings come from expoliting this features. Which is why i don't know what PHP group ever put it in there.

It injects your scripts will with unwanted variables, mainly HTML forms, including login forms, which makes it easier to spoof logins, as it'll already try to authencate you before checking.

Basicly, scripts that require it to be on, aren't well coded, as there is no legit reason to need it, but sadly some do.

 

[macro_mote]

I think it's unfair to label all scripts, which need this on, as not well coded. Globals were set to on by default before. So, there was no need to specify an input source. Since then, a number of pre-built scripts have migrated to working with it off yet continue to be victims of hackers.

Hackings actually occur because section(s) of code are written insecure. Turning globals off may help prevent some hacking scenarios, it doesn't mean such code is any better written than ones needing it on.

IMO it's a good practice to create scripts which can run with it off. Becoming proficient at initializing and sanitizing variables though is what will help keep hackers out.

 

[webquarry]

We have turned register_globals off on our servers and have yet to receive more than 2 complaints out of over 3000 sites so I think that is a pretty good record.

I too would prefer to see the default go to register_globals off. I agree that this change will not be itself magically make everyone's code secure but it will prevent them from make some very stupid mistakes.

It will force them to educate themselves a bit more before they accept form input and that additional education certainly cannot hurt things.

Ultimately I'd like to see php run under the user's ID (ala su-php) so that sloppy PHP code only affects the individual user instead of everyone else that uses php. DA, Care to add that one to the wish list? It will go a long way toward cementing DA's position as more secure than those other control panel products...